infra/roles/wireguard/tasks/wireguard.yml

---

- name: create keys if they dont exist
  shell:
    cmd: "wg genkey | tee {{ inventory_hostname }} | wg pubkey > {{ inventory_hostname }}.pub"
    chdir: "{{ wireguard_keydir }}"
    creates: "{{ wireguard_keydir }}/{{ inventory_hostname }}"
  delegate_to: localhost
  tags:
    - wg-keygen

- name: enable ip_forward in proc
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set:
    state: present
    reload: yes

  #shell: "bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'"

- name: enable ip_forward in sysctl.conf
  replace:
    path: /etc/sysctl.conf
    regexp: '^#net.ipv4.ip_forward.*$'
    replace: 'net.ipv4.ip_forward=1'
  notify: systemctl daemon reload

- name: enable ip_forward in proc
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: yes
    state: present
    reload: yes

- name: install wireguard
  apt:
    name:
      - wireguard
      - qrencode
      - resolvconf
    state: present
  tags:
    - packages

- name: load kernel module
  modprobe:
    name: wireguard
    state: present

- name: template wg-post-up script
  template:
    src: wg-post-up.sh.j2
    dest: /usr/local/bin/wg-post-up.sh
    mode: 0770
    owner: root
    group: root
  tags: wg-scripts

- name: template wg0 config
  template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    owner: root
    group: root
    mode: 0700
  notify: restart wireguard
  tags:
    - wg0.conf

- name: enable wireguard server with wg-quick
  service:
    name: wg-quick@wg0
    enabled: yes
    state: started